Microsoft to patch 22 bugs, 3 zero-days next week

Microsoft today said it will issue 12 security updates next week to patch 22 vulnerabilities in IE, Windows, its Internet server and Visio, the company's data diagramming tool.

The majority of the updates -- 10 of the 12 -- affect Windows, with one of those addressing the IIS 7.0 and IIS 7.5 denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2. The other two will fix one or more flaws in IE and Visio.

Storms said that it's a "safe bet" to assume the Visio update will tackle a file format bug.

It was tough to glean any clues about what specific components Microsoft will patch next week from the advance notification's limited information, added Storms. "With 12 bulletins, it's pretty difficult to guess at what the others will include," he said.

"It's going to be a big day for everybody," Storms said. "It'll be interesting at the end of the day what applications are involved."

Even so, he speculated that one of the updates -- marked today only as "Bulletin 4" -- may address a kernel bug in Windows Vista and Windows 7, as well as Windows Server 2008 and 2008 R2. According to Microsoft, Bulletin 4 will not affect the older Windows XP and Windows Server 2003, the reason Storms pegged the kernel, which Microsoft revamped in Vista and later editions, as a potential suspect.

Last month, Microsoft patched a bug in Vista only that was attributed to the operating system's Backup Manager. That update was the seventh Microsoft has released to repair "DLL load hijacking" or "binary planting" vulnerabilities that researchers disclosed last August .

Microsoft will release the 12 updates at approximately 1 p.m. ET on Feb. 8.